HIPAA is the Health Insurance Portability and Accountability Act. It’s the legislation that makes sure your protected health information (PHI) is kept private and kept secure. It covers how healthcare providers and associated businesses should keep handle your data and protect your health information, and provides the standards needed to ensure PHI data stored, handled, and accessed correctly at all times.
It also lays out the significant fines and penalties for individuals and organizations that handle sensitive PHI data but don’t comply with the standards.
Initially only doctors, hospitals, and insurance companies needed to comply with HIPAA specifications, as they were the only people and organizations with access to PHI. These are known as Covered Entities and include any organization that provides “treatment, payment, and health care operations.”
Covered Entities include:
However, a 2013 update increased the scope of HIPAA to take into account the increased use of outsourcing and cloud providers in healthcare. Any service transmits, stores, or receives PHI data is now categorized as a Business Associate and has to comply with HIPAA.
Business Associates include:
For a covered entity or a business associate to be compliant with HIPAA law, they are required to do 4 things:
Of the 4 HIPAA rules (Security, Privacy, Enforcement, and Breach Notification) it’s the HIPAA Security Rule that developers have to pay close attention to.
For SaaS companies wanting to work with healthcare providers, medical organizations or business associates already working in the industry, the Security Rule sets out how PHI data must be handled by the app or service.
This rule lays out the Technical Safeguards that make sure access to data is controlled, that data is secure, and individuals are properly authenticated.
Using HIPAA standards opens you up to new customers in a growing market. 67% of healthcare organizations are currently using a SaaS service in their workflow, with 92% of healthcare providers saying that that they can see a future use for SaaS in their organization. By applying HIPAA standards, you can tap into the $3 trillion healthcare industry.
By working towards HIPAA compliance, you are able to market yourself to 3 new customer bases:
Auth0 offers HIPAA Business Associate Agreements to customers handling PHI data. This allows companies to be HIPAA-compliant by using Auth0 as an identity and authentication service.
Here are 3 HIPAA security rule technical safeguards addressed by Auth0:
In the case of emergency, an account might need to be temporarily shared with another user. To be compliant, this sharing must be temporary and used only in a true emergency. Qualified emergencies might include times when access to a patient’s data is time-critical, but the authorized user is away, or has been recently terminated.
To access PHI in an emergency with Auth0, instead of using bad, non-compliant practices such as Superuser backdoors, you can use the “Sign In As…” to access the account quickly and temporarily.
Automatic Logoff is an “addressable” part of the technical requirements of the security rule. This doesn’t mean optional. Addressable specifications should be implemented if it’s reasonable and appropriate to do so.
You can set Auth0 to automatically log out a user after a certain length of inactivity easily using the dashboard. You just have to set the JSON Web Token expiration time, in App Settings, to your predetermined time of inactivity. In this scenario, the app will automatically log the user out after 15 minutes of inactivity:
To keep the data private and secure, it’s important to authenticate users properly so that only those with the requisite credentials can access the accounts. Using Auth0, a business associate or covered entity can use their own federated sign on solution through SAML to control access. Implementing SAML is easy is Auth0, click here for the video tutorial.